Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #16

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition starts with a story of the theft of $ 8000 in bitcoin, even though the wallet was protected with two-factor authentication.

The headline of this edition is the account of Cody Brown, who had $ 8000 of bitcioins stolen from his online wallet at Coinbase. He was targeted after speaking out about Coinbase’s unsatisfactory response to hacking incidents. Why is this a story at all? Because the thieves bypassed the SMS-based two-factor authentication system, simply by convincing Verizon to transfer control of the account to one of the thieves.

Remember, 2FA is only as strong as the weakest link, and mobile phone numbers are not a very strong protection mechanism.

While the news about data breaches has been tuned down a bit, they still happen on a regular basis. One of the more noteworthy breaches of lately is this breach at a cosmetic surgery clinic. The hackers are attempting to extort both the clinic and its clients using the stolen data, which includes sensitive pre-operation pictures.

The problem with these data breaches is that once the data is out, it’s virtually impossible to reclaim control over your data.

Next up is an illustration that building secure software is far from trivial, even if you’re one of the top players on the Internet. A bug bounty hunter disclosed that Twitter was running vulnerable code, that allowed an attacker to tweet as any user. The report of the vulnerability has been disclosed, and a bounty of $ 7560 has been awarded.

And like always, we’ll end the digest on a positive note. During the annual WWDC conference, Apple announced a bunch of new features for its browser, Safari. Apart from support for technologies such as WebRTC and WebAssembly, the new Safari will also bring a technology named Intelligent Tracking Prevention, aiming to reduce cross-site tracking practices.

Upcoming Events

In the coming month, you can catch me speaking at the following events:

As usual, you can find the full list of events on my speaking page.


Comments & Discussion